dockerfile.best-practice.set-pipefail.set-pipefail

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Only the exit code from the final command in this RUN instruction will be evaluated unless 'pipefail' is set. If you want to fail the command at any stage in the pipe, set 'pipefail' by including 'SHELL ["/bin/bash", "-o", "pipefail", "-c"] before the command. If you're using alpine and don't have bash installed, communicate this explicitly with SHELL ["/bin/ash"].

Run Locally

Run in CI

Defintion

rules:
  - id: set-pipefail
    languages:
      - dockerfile
    message: Only the exit code from the final command in this RUN instruction will
      be evaluated unless 'pipefail' is set. If you want to fail the command at
      any stage in the pipe, set 'pipefail' by including 'SHELL ["/bin/bash",
      "-o", "pipefail", "-c"] before the command. If you're using alpine and
      don't have bash installed, communicate this explicitly with `SHELL
      ["/bin/ash"]`.
    metadata:
      references:
        - https://github.com/hadolint/hadolint/wiki/DL4006
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL4006
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    patterns:
      - pattern-either:
          - pattern: RUN ... | ...
          - pattern: RUN ... || ...
      - pattern-not-inside: |
          SHELL [..., "pipefail", ...]
          ...
          RUN ... | ...
      - pattern-not-inside: |
          SHELL ["/bin/ash", ...]
          ...
          RUN ... | ...
    severity: WARNING

Examples

set-pipefail.dockerfile

# cf. https://github.com/hadolint/hadolint/wiki/DL4006

FROM debian:jesse

# ruleid: set-pipefail
RUN wget -O - https://some.site | wc -l > /number

# ruleid: set-pipefail
RUN apt-get update || apt-get install something || apt-get clean

# ok: set-pipefail
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN wget -O - https://some.site | wc -l > /number

# ok: set-pipefail
SHELL ["/bin/ash", "-o", "pipefail", "-c"]
RUN wget -O - https://some.site | wc -l > /number